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THROUGH: Alec Palmer ftf &/M# 

Staff Director 
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SUBJECT: 


Katie A. Higginbothom <2^ . 

Co-Chief Privacy Officer 

Acting Deputy Staff Director for Management and Administration 

Gregory R. Balcei 

Co-Chief Privacy Officer 

Deputy General Counsel - Administration 


Privacy & Data Protection Follow-Up Audit Updated Corrective 
Action Plan 


The Privacy Team typically circulates to the Commission, on a biannual basis, an 
update to management’s corrective action plan from the 2010 Privacy and Data 
Protection Follow-Up Audit. In March 2011, the Office of Inspector General issued its 
final audit report from the 2010 Privacy and Data Protection Follow-Up Audit, and on 
June 8, 2011, the Privacy Team circulated to the Commission management's Corrective 
Action Plan (CAP) to address the audit recommendations. 


With the veiy recent hiring by the Administrative Law Team of an attorney with 
significant experience in handling Privacy Act-related matters, the Privacy Team now has 
additional staff resources to devote to addressing the CAP recommendations. With these 
additional resources, in the past 4 months the Privacy Team has closed out CAP 
recommendations 3B, 10B, 11A, 12A, and 13. 


The Privacy Team intends to, among other things, continue to work to ensure that 
necessary privacy and security controls are fully instituted, and believe we can close out 
CAP recommendations 4A, 4B, 4C, 4D, 7A, 7D, 7E, 7F, 8D, 12B, 12D, and 12E in this 
fiscal year. Attached is an updated version of the corrective action plan provided for 
informational puiposes. 

Please feel free to contact the Co-Chief Privacy Officers if you have any 
questions. 
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3/31/2011 

(11B) Should develop » policy end supporting 
procedures to OS50VS and approve vendors with access 
to FEC Pit to reasonably ensure that tho vendor has 
adequate controls in place to protect tho information 
bofore any Pll Is provided to the vendor. 

Agroo 

Collaborate with tee Contracting OHlccr end Chief 
Financial Qffieor to develop poilclos end supporting 
procedures teat will require prospective contractors to 
provide evidence of Intcmar controls thot will safeguard 
tho agency's sonsitlvo Information or PH that the 
contractor h3s accoss to. 

9/30/2011 

Contracting has dovolopod a tracking spreadsheet to 
track vendors that handle Pll and revised iho COR 
responsibilities tetter to Include language which 
obligalod the COR to alert tec Contracting Officer to 
now eoniracts whore vendors handle P(l so that tho 
Contractor can add tee vendor to tho spreadsheet. The 
revised COR totter and tho tracking spreadsheet have 
hnnn «oni in tee 10 

1/21/2019 

-53 

KnlHna Sirtnhin 

To verify policy Implementation, tee OlG requested the 
tho most recent signed COR designation letter from Iho 
Contracting Officer. Upon review of a COR letter that 
was effective as of October 3, 2018, tee updaters 
proposed to rosolvo this Item wore not Included trt the 
lotion. Management must make sure this corrective 
action has bean Implemented for all now contracts in 
order to sufficiently close this recommendation. See 
atfofadhnHmts ndudei Ter Slriua update - 1 I/S/1B Ul= 


fYKLTli? y u UM ,f ? 


2/31/2011 

(11C) Should formally document tho process used to 
review tho FEC's vendors and the results should bo 
retained to evidence the review procedures performed. 

In addition, thoro should bo documented management 
approval from tho dopartmom hoad that Is the source of 
the information to bo shared with the vendor and elthor 
of tho co-Chlof Privacy Officers before the vendor Is 
provided occcss to FEC Pit. There may bo more than 
one department hood that should review and approve o 
specific vendor if the Pll affected pertains to more lhan 
ono depanmortl. 

Agree 

Work wlte Contracting Officer to develop a process for 
rovlowlng and documenting vendor privacy controls. 
Create a CPO privacy approval procoss teat vondors 
must undergo before gaining access to FEC Pll. 

Evaluate various options for accomplishing this goal. 

9/30/2011 

Work with Contracting Officer to documonl or develop a 
process for rovlowirtg and documenting vendor privacy 
controls. 

IT/U2&19 

-337 


Revlev/ed management's updated corrective action plon 
and will ossoss tho adequacy of Implementation once 
completed. 



Tlmpfr Upqgt C5 loSOHs 

3/3t/20t1 

(128) Enhanco existing guldollnos and procedures to 
Include timelines and deadlines that promote regular 
review and llmoty updates to SORs. 

Agree 

Update tho SORNs Roviow Guidelines and tec 
Procedures tor Conducting tho Circular A-130 System 
of Records Notices Roviow Id Include Internal 
benchmarks and goals far biennial reviews and updates 
uf SORN* trnl SORn 

1/31/2012 

OGC has agreed to a biennial (every 2 years) roviow of 
the SORs which tho privacy attorney will be conducting 
by March 31.2019. This review as a mailer of course 
will include all FEC departments including the Physical 
Security Officor. Iho FEC Records Officer, and FEC 
Management. Focillties, and evory area of tec FEC. The 
policy that states we will conduct this review every two 
years was sonl to tec IG os was the SOR 'checklist' 
which tolls us In toiat whot SORs wo currently hove. 

After tho policy you will find the form we Intend lo fill out 
for each SOR to ensure the SOR hos been properly 
reviewed 

S/UfflOtfl 

-153 

Katrina Sutphln 

Tho OlG roviowed management's stotus update to 
conduct a review by March 31,2019. Onca the review Is 
conducted, tho DIG will be able to assess Iho results of 
the corrective actions lakon. Until that time, the 
recommendation remains open. Tho OlG rovlsod iho 
Imptomonfotion duo date to correlate with management’s 
stated review period. 11/9/208 - MF 


SOR* AssajiViUMVi of otoclrenfo mflji?£>nr recqnij 

3/31/2011 

(12D) Work with the Physical Security Officer, the FEC 
Records Officer, end FEC manogomont to Incorporate 
SORs assessment procossos Into electronic and paper 
records manogomont procosscs. 

Agroo 

Work with tbo Administrative SorvIcDi and tho 

1 Commission Secretary's Oftlco to ensure that SORs ore 
considered during records monagomont end physicol 
security operations. 

3/31/2012 

OGC has agreed to a biennia! (ovory 2 years) roviow of 
tec SORs which tho privacy ottomoy will bo conducting 
by March 31.2019. This review as a manor of cotmso 
will include all FEC departments Including the Physical 
Security OKicor. tho FEC Records Officer, end FEC 
Monogemcnt, Fcefflilos. and ovary area of Iho FEC. The 
policy that slatos wo will conduct this roviow evory two 
yoars was sonl to tho IG as was tho SOR 'checklist' 
which tolls us In toial what SORs wo currently have. 

After tec policy you will find tho form we intend lo fill out 
for each SOR to ensure Iho SOR has boon property 
reviewed 

Sn/ZOiS 

-153 

Katrina Sulohln i 

The DIG w/wrrf IhwirighnimS'S tutus update is 
conduct a roviow by March 31, 2019 Onco tho review is 
conducted, tha DIG will bo ablo to atvm ten rmi (hi rtl 
tho corrective actions taken. Until tent time, Iho 
recommendation remains open. The OlG revised tho 
Implementation due date to correlate wlte management's 
stated review period. 11/9/208 - MF 



Pol icy for Monliorfne ond ReKrUia SORs 

3/31/2011 

(12E) Devolop and Implement poilclos and procedures 
;that define monitoring and reporting procossos to 
: ensure SORs ore updated and amendments published 
in accordance with Federal regulations by: 1) providing 
regular training to FEC managers and SOR system 
ewners/managers; 2) establish doadllnos, based on the 
legal requirement of OMB A-130. tor documenting tho 
new SORs, revisions to existing SORs, end publish tho 
updated SORN; 3) providing legal 03S«smonl of 
potential changes In SORs and quality assuring tho 
SORs produced by system ownore/moncigors; 4) 
including performance standards in employee 
performance plans that are linked to successful 
compliance with Federal regulations: and 5) requiring 
regular reporting of compliance with tho timelines to tec 
Commission, 

Agree 

Dovolop privacy system manager training. Create 
internal benchmarks or goals to moot SORNs 
publication deadlines. Continue conducting legal 
assessments of potential system of record changes. 

3/31/2012 

Sand b memo to FEC managers explaining tho 

Institution and use of tho SOR addition form and 
requesting any SOR additions by Doc 2018. By March 
31.2019. tho privacy counsel will conduct tec first 
biennial SOR review and update the SORs for the FEC. 
After this first review, the privacy team wilt corrtinuo 
conducting legal assessments of potential system of 
record changes and also wilt accapt submissions of 
SORs using tho SOR addition request form from 
managers outsldo tho Privacy Team. A record of Iho 
Biennial SOR revlows will bo kept for tee IG to review. 
Privacy Counsels standards Include reference to 
keeping accurate records and reviewing departments for 
changes. 

1/2V2S19 

-53 

Katrina Sulohln 

Reviewed management's updated corrective action plan 
and will assess the adequacy of Implementation once 
completed. 




3/31/2011 

(2A) Conduct privacy Impact assessments in 
accordance with Section 522, or create on alternative 
process tor ensuring that privacy risks associated with 
PB or* dotirntvthKf, weised and remedMed « 
rKKOHOry. 

Agree 

Create a privacy Impoct evaluation process to track the 
Information collected in, and system con trots for. 
Information systems. 

11/30/2011 

OCFO has an ERM process in dovclopmonl por iho 
new A123 guidance that assesses risk agency-wide and 
could cover this recommendation. Privacy Counsel wDI 
meet with Gilbert and discuss, teen provide further 
action plan. Management is researching end developing 
aaoMlohte odtoinfre recemh*nttaiton. 

12/1/2019 

-367 

Kfitiinp SvtoMn 

fipvICWCS mormocmertfs updated corecltvo aelkm plpi 
and will assess-tec adequacy of Implementation once 
■omploiod 




3/31/2D11 

(2B) Comply with OMB memoranda, or In the ovoni of 
Statutory exemption end a decision rot to voluntary 
comply, documonl teat sufficient controls oxlst to 
mitigate tho need to comply. Where compliance Is not 
adopted duo to resource constraints or other reasons, 
document tho legal assessment, risk analysis, and cost- 
&CfiSftl»HwFEC. 

Agree 

Conduct an informal cost-benefit analysis of privacy- 
rotated OMB requirements when iho ogoncy 1$ exempt 
from such requirements. 

5/30/2011 

Management Is researching end developing a solution to 
address tho recommendation 

12/1/2019 

-367 

KslHnfl SuTohin 

Will review mnnugoiTHPifs planned codec live action 
office' WmU Hied. 



Governance Framnwa-k. to Protect Pll 

3/31/2011 

(2C) idontlfy and Implement a governance framework 
(o.g., NIST, tee AlCPA's Generally Aceoptod Privacy 
Principles (GAPP)>, to onsure that controls within tho 
FEC to proioct Pit ore appropriately kJontided, 
documented, and Implemented. 

Agree 

Review teo AICPA Gonerdly Accepted Privacy 

Principles (GAPP) and determine It Is feasible to 
implomonl as a privacy governance framework for the 
agoncy. In whole or In part 

4/30/2012 

Monagomont Is roscorching 3nd developing a solution to 
address tee recommendation. 

tanora 

-367 

Knrn'no Sulohln 

Will review management's planned corrective action 
onco Identified. 


lnv*nlov of Systems wlih Pl| 

3/31/2011 

(4A) Update and maintain the Invontory of all systems 
teat contain Pll for all tec divisions. A potential approach 
is to use the templates created by STSI and havo each 
division update their currant listing and Implement 
business procossos to continually update tho Invontory 
based on now or rovlsod handling and storage of PH. A 
full review could bo conducted by tho divisions at least 
annually and would help support tho blanniol Privacy Act 
Systems of Records update process. 

Agree 

Update the 2009 Pll review Inventory. Noto: Those 
action Items ere subject to the availability of contractor 
fends and Commission notification. 

4/30/2012 

Update tho 2009 Pll review invontory and provide proof 
of this procedure to tho tG. 

21/2919 

-64 

Knirina Sutphln 

Roviowed management’s updated corrective action plan 
and will assess tho adequacy of Implementation once 
completed. 
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CAP of STSI recommendations 

3/31/2011 

(40) Flnaltao the evaluation of iho draft STSi 
recommendations orb develop, document and 
implement a oorroctlvo action plan as necessary. 
Progross against Iho corrective action pfon should bo 
formally and periodically reported lo management. 

Agree 

Complete review of evaluation report recommendations, 
approval of iho recommendations, and prepare an 
action plan for addressing the approved 

2/29/2012 

Review STSI report, notate on report which action Items 
correspond to tho CAP and refer IG to tho current CAP 
plan lo resolve those joint STSI and CAP audit Items. If 
arty items an tho STSI plan do not correspond to foo 

CAP plan those wilt bo addressed end resolved, This 
document will be provided to foe IG- 

1/21/2019 

-53 

Katrina Sutohln 

Reviewed management's updated corrective action plan 
and will assess Ihe adequacy or Implementation once 
completed. 



SSN Reduction Plan 

3/31/2011 

(4C) Provide foo Privacy Team's SSN Reduction Plan 
Phase 1 report to the applicable division heads, and 
work with those offices lo prepare action plans to 
address the findings in the report. 

Agree 

Approve tho SSN Reduction Plan Phase 1 report and 
work with division heads to address tho report findings. 

3/31/2012 

Audli and inventory Social Socurity Number and Ptl 
usage within FEC. Interview Information owners and 
detarmlno whether Ptl end SSN collection ond steroge Is 
necessary. Prepare spreadsheet reporting those 
findings to IG. (4c) Remediate by eliminating 
unnecessary uses of Pll and SSNs (4d) and reporting 
results to IG. This process will bo completed once per 
fiscal year. A record will bo kept noting that wo 
completed this process each year. 

2/1/2019 

-64 

Katrina Sutohin 

Reviewed management's updated corrective action plan 
and will assess tho adequacy of implementation once 
completed. 



Comolv with OMB M-07-16 

3/31/2011 

<4D) Compfoto Phase 2 ond Phase 3 of tho TEC's Plan 
to Review and Reduce Holdings of Personally 

Wont Hi abb Information end Eliminate Unnecessary Use 
of Social Security Numbers In Response lo OMB 
Memorandum M-07-16, Safeguarding Agalnsl and 
Responding lo Iho Broach of Personally Identifiable 
Information' os soon as practical, This can bo 
accomplished by providing the STSI results lo Ihe 
divisions and requesting a response on iha abfilty to 
reduce o * eliminate the quostlonabto uses of socbl 
security numbers already identified by Iho contractor. 

Agreo 

Compfoto Phases 2 and 3 of Iho plan by disclosing the 
findings of the Phase 1 report to tho applicable division 
heads, and work with division heeds to address tho 
report findings. 

3/31/2012 

Audit and Inventory Social Socurity Number and Pll 
usage within FEC. Interview Information owners and 
determine whether Pll end SSN collection and storage Is 
necessary. Prepare spreadsheet reporting those 
findings to IG. (4c) Remodlato by eliminating 
unnocossary uses of Pll and SSNs (<d) and reporting 
results to IG- This procoss w|tl bo completed once per 
fiscal year, A record will be kept noting that we 
completed fob process each year. 

2/1/2019 

-64 

Katrina Sutohin 

Rovfowod management's updated corrective action plan 
and will assess tho adequacy of Implementation once 
completed. 



Annus! Risk Assessment of SvSlPm& with Pll 

3/31/2011 

(5A) Conduct a risk assessment annually for all existing 
ond new applications that collect, process, transmit or 
store Pll. If PlAs were performod. a risk assessment 
component could be built Into that process to 
accomplish both the PIA and risk assessment 
recommendations. 

Agree 

Conduct an Informal risk assessment of agency Pll 
during tho biennial Pll Review. Note: Those action Items 
ore subject to the aValtobll/ty of contractor funds ond 
Commission notification or approval. 

S/31/2D12 

Conduct an Informal risk assessment of agency Pil. This 
could possibly bo resolved with Gilbert’s risk mgt 
process further research needed. 

12/1/2019 

■367 

KDtrlna Sutohln 

Roviawed management's updated corrective action plan 
and will assess tho adequacy of implementation once 
completed. 



Devefoo CAP for risk Bssossmont deficiencies 

3/31/2011 

(SB) Prepare a documented corrective action plan for 
any defldoncy notod for each risk assessment 
performed and report progress periodically until all 
corrective actions are Implemented. The corrective 
action plan should be approved by management. 

Agree 

Prepare on informal documented assessment of Iho 
findings from the next biennial Ptl review, with 
recommended action Items. Note: These action Items 
may bo subject to tho avaltoMlity of contractor funds for 
tho 20 U PH Review. 

9/30/2012 

Prepare a conrectlve action plan for what Is found in 5A. 

12/1/2019 

-367 

Katrina Sutohln 

Reviewed management's updated corrective action plan 
and will assess foo adequacy of implementation once 
completed. 



fdftntlf|cnt|on, of Encrypted Devices 

3/31/2011 

(6E) Include a record In the inventory listing of whether 
the device is encrypted or not. 

Agree 

Management does rot concur with this recommendalion 
ond refers to Its response In the final audit report. 

9/30/2011 

Management wlfl provide a report that shows that 
devices are encrypted. 

2/1/2019 

-64 

Katrina Sutahin 

Reviewed management's updated corrective action plan 
and will assoss foe odoquoey of implementation once 
com Dieted. 

Pooulnr Prlvncv Wnlkforouah-s 

3/31/2011 

(7A) ISSO, Physical Security Offlcor, and/or division 
management should conduct regular walkthroughs to 
ensure lhal agency staff complies with privacy end 
Information Security standards are being met. 
Implementation of those action Items ore subject to 
Commission notification end/or approval. 

Agree 

ISSO, Physical Security Officer and other management 
officials as appropriate will conduct walkthroughs of (ho 
building to ensure privacy and Information security 
standards ore being met. Imptemomotlon of those action 
Items are subject io Commission not 

9/30/2011 

Create a policy to cenduct yearly walkthroughs to 
onsuro staff comply with privacy and Information 
security standards. Document findings. Make leg 
documenting yearly walkthroughs available lo IG for 
Inspection- 

12/1/2018 

-2 


Reviewed monogemontis updated corrective action plon 
and wilt assoss foe adequacy ef Implementation onco 
completed. 



Address Failures to Socuro Sensitive Information 

3/31/2011 

(7D) Olvlslon managers should work with tho Physical 
Security Officer and the Records Officer to assess 
records management and secure slorago noods ond 
address failures to adequately secure sensitive 
Information noted during tho walkthrough. 

Agree 

Discuss with Iho Physical Security Officer and iho 
Records Officer security concerns for storage areas and 
records management raised during the security 
walkthroughs. Include In iho discussion the pros and 
cons of locking suite doors after businoss hours. 
Implementation of these action items ore subject to 
Commission approval if the security walkthroughs. 

9/30/2011 

Resotvo Issues found in walkthrough. Include in tho 
discussion foe pros and cons of locking suite doors after 
business hours. 

7/1/2019 

■214 

Katrina Sutohin 

Reviewed management's updated corrective action plan 
and will assoss foo adequacy of Implementation once 
completed. 



Contractor Certification of Secure Destruction 

3/31/2011 

(7E) Contracting Officer and COTRs should enforce the 
requirement for contractors to certify secure destruction 
er return ef FEC Information In belli paper and electronic 
format 

Agree 

Assist foe Contracting Offioo In developing a protoss for 
ensuring contractors return or socurely destroy FEC 
information when no longor nowtod. 

9/30/2011 

Crooto end Jnstituto an ©xli checklist for contracts foat 
are onding that ensures that contractors return or 
securely destroy FEC Information v/hon ho longer 
needed 

12/1/201B 

•2 

^ ,. u]ph|n 

Rovlowed management's updated corrective action plan 
end will assess Ihe adequacy ef Implementation once 
completed. 



COR Policies 

3/31/2011 

(7F) Should establish policy end procedures requiring 
COTRs to inspect tho physical space occupied by 
contractors when tho contractor deports io ensure paper 
and electronic records are socurely disposed of or filed 

Agree 

Work with Uw Contracting Officer to develop policies 
end procedures regarding CGTR Inspection of 
contractor-occupied spaco after termination of tho 
contract. 

9/30/2011 

Create and instituto an exit checklist for contracts foat 
are onding that Includes an Inspection of contractor- 
occupied spaco after termination of foe Contract. 

12/1/2018 

•2 

Kntrirw Sutohln 

Reviewed monagomont's updated corrective action plan 
and will assess the adequacy of Implementation once 
completed. 



Annual Review of Privacy Polidos 

3/3I/20U 

(80) Should reviow on a regular basis oil of tho privacy 
and data security policies, procedures, standards and 
guidelines On a defined timeframe (o.g.. annually), and 
thoy should ba dated, and updated as nocessary and 
Include a point of contact if employees have questions. 

Agreo 

Conduct a biennial review of the privacy policies and 
continue the annua! reviow of IT security policies. As 
part of those rovlows, ensure that Iho policies contain a 
point of contact and offoctlvc end revision datos. 

3/31/2012 

Conduct end keep a tog ef annual rovlows of all privacy 
policies. Make log available lo IG for inspection. The firsl 
privacy inspection will bo conducted April 2019 

10/30/2019 

-335 

Kgirina Sutohln 

Reviewed management’s updated corrective action pton 
and will assess the adequacy of Implementation once 
eomploiod. 
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